[PART 2] Automated WebApp Provisioning and Secure Monitoring

Mon, 10 Mar 2025 07:13:02 +0000

Blog ini merupakan kelanjutan dari bagian sebelumnya. Jika belum membacanya, bisa cek disini.

Langkah Implementasi

Instalasi dan Konfigurasi Tools Prometheus.

Note : Lakukan langkah dibawah ini di monitoring node.

Download dan ekstrak file Prometheus.

~$ sudo su -
~# cd /opt
/opt# wget
https://github.com/prometheus/prometheus/releases/download/v2.48.1/prometheus-2.48.1.linux-amd64.tar.gz
/opt# tar xvfz prometheus-2.48.1.linux-amd64.tar.gz

Menambahkan file konfigurasi untuk Prometheus.

/opt# cd prometheus-2.48.1. linux-amd64
/opt/prometheus-2.48.1. linux-amd64# vim config.yml

---
global:
  scrape_interval:     10s
  evaluation_interval: 15s

scrape_configs:
  - job_name: 'node'
    scrape_interval:  5s
    static_configs:
    - targets: ['192.168.4.10:9100','192.168.4.20:9100','192.168.4.30:9100']

  - job_name: 'nginx'
    static_configs:
    - targets: ['192.168.4.20:9113']

  - job_name: 'cadvisor'
    static_configs:
    - targets: ['192.168.4.30:8080']

  - job_name: 'docker'
    static_configs:
    - targets: ['192.168.4.30:9323']

alerting:
  alertmanagers:
  - static_configs:
    - targets:
      - 192.168.4.10:9093

rule_files:
  - "rules/container.yml"
  - "rules/node.yml"
  - "rules/web-server.yml"

Membuat SSL Key dan Certificate Signing Request.

/opt/prometheus-2.48.1.linux-amd64# sudo openssl genrsa -out /opt/prometheus-2.48.1.linux-amd64/prometheus.key 2048
/opt/prometheus-2.48.1.linux-amd64# sudo openssl req -new -key /opt/prometheus-2.48.1.linux-amd64/prometheus.key -out /opt/prometheus-2.48.1.linux-amd64/prometheus.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]: South Kalimantan
Locality Name (eg, city) []:Banjarbaru
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Membuat SSL Self-Signed Certificate.

/opt/prometheus-2.48.1.linux-amd64# openssl x509 -req -days 365 -signkey prometheus.key -in prometheus.csr -out prometheus.crt -extfile <(echo "subjectAltName=IP:192.168.4.10" )

Certificate request self-signature ok
subject=C = ID, ST = South Kalimantan, L = Banjarbaru, O = Internet Widgits Pty Ltd

Instalasi paket yang dibutuhkan untuk basic authentication.

~# sudo apt-get update && sudo apt install apache2-utils -y

Membuat password untuk basic authentication.

~# htpasswd -nBC 12 "" | tr -d ':\n'
New password: <inputYourPassword>
Re-type new password: <inputYourPassword>

$2y$12$<saltAndHash>

Menambahkan konfigurasi untuk web agar SSL dan basic authentication diterapkan.

/opt/prometheus-2.48.1. linux-amd64# vim web.yml
basic_auth_users:
rifkyards: $2y$12$<saltAndHash>
tls_server_config:
    cert_file: /opt/prometheus-2.48.1.linux-amd64/prometheus.crt
    key_file: /opt/prometheus-2.48.1.linux-amd64/prometheus.key

Menambahkan rules untuk mengirimkan alert node yang mati ke Alert Manager.

/opt/prometheus-2.48.1.linux-amd64# vim rules/node.yml

# Add this lines
groups:
  - name: NodeStatus
    rules:
      - alert: "NodeMonitoringDown"
        expr: up{instance="192.168.4.10:9100"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: "NodeMonitoringDown"
        annotations:
          title: "{{ $labels.instance }} is down"
          description: "The server with IP {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "NodeClient1Down"
        expr: up{instance="192.168.4.10:9100"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: NodeClient1Down
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The server with IP {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "NodeClient2Down"
        expr: up{instance="192.168.4.30:9100"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: NodeClient2Down
        annotations:
          title: "{{ $labels.instance }} is down"
          description: "The server with IP {{ $labels.instance }} has been down for more than 5 minutes."

Menambahkan rules untuk mengirimkan alert Nginx Server yang mati ke Alert Manager.

/opt/prometheus-2.48.1.linux-amd64# vim rules/web-server.yml

# Add this lines
groups:
  - name: WebNginxStatus
    rules:
      - alert: NginxDown
        expr: nginx_up{instance="192.168.4.20:9113", job="nginx"} == 0
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: NginxDown
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The {{ $labels.job }} server on {{ $labels.instance }} has been down for more than 5 minutes."

Menambahkan rules untuk mengirimkan alert container yang mati ke Alert Manager.

/opt/prometheus-2.48.1.linux-amd64# vim rules/container.yml

# Add this lines
groups:
  - name: containerMonitoring
    rules:
      - alert: "Container2048Down"
        expr: absent(container_start_time_seconds{name="2048-apps",instance="192.168.4.30:8080"})
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: Container2048Down
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The {{ $labels.name }} container on {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "ContainerTicTacToeDown"
        expr: absent(container_start_time_seconds{name="tic-tac-toe-apps",instance="192.168.4.30:8080"})
        for: 5m
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: ContainerTicTacToeDown
        annotations:
          title: "{{ $labels.name }} is down"
          description: "The {{ $labels.name }} container on {{ $labels.instance }} has been down for more than 5 minutes."

      - alert: "GeneralContainerDown"
        expr: time() - container_last_seen{instance="192.168.4.30:8080", image!="", name!~"2048-apps|tic-tac-toe-apps|cadvisor"} > 220
        for: 20s
        labels:
          severity: critical
          instance: "{{ $labels.instance }}"
          alertname: GeneralContainerDown
          resolved: 'false'
        annotations:
          title: "{{ $labels.name }} is down"
          description: "A container {{ $labels.name }} on {{ $labels.instance }} has been down for more than 5 minutes."

Menambahkan konfigurasi untuk Prometheus berjalan di SystemD.

~# vim /etc/systemd/system/prometheus_server.service

# Add this lines
[Unit]
Description=Prometheus Server

[Service]
User=root
ExecStart=/opt/prometheus-2.48.1.linux-amd64/prometheus --config.file=/opt/prometheus-2.48.1.linux-amd64/config.yml --web.config.file=/opt/prometheus-2.48.1.linux-amd64/web.yml --web.external-url=https://192.168.4.10:9090/

[Install]
WantedBy=default.target

Menjalankan perintah agar SystemD Prometheus berjalan.

~# systemctl daemon-reload
~# systemctl start prometheus_server
~# systemctl enable prometheus_server

Instalasi dan Konfigurasi Tools Alert Manager.

Note : Lakukan langkah dibawah ini di monitoring node.

[PART 1] Automated WebApp Provisioning and Secure Monitoring

Mon, 10 Mar 2025 03:13:02 +0000

Dalam lingkungan TI modern, banyak organisasi menghadapi tantangan dalam mengelola kombinasi aplikasi berbasis SystemD dan container. Kesulitan ini dapat menyebabkan kurangnya visibilitas terhadap performa sistem, meningkatkan risiko downtime yang tidak terdeteksi, dan menyulitkan tim dalam merespons masalah dengan cepat.

Untuk mengatasi tantangan ini, pendekatan yang umum diterapkan adalah menetapkan satu server sebagai pusat monitoring dan kontrol otomatisasi. Server ini berperan dalam mengintegrasikan berbagai alat seperti Terraform untuk otomatisasi pembuatan infrastruktur berbasis container, serta Ansible untuk mengelola konfigurasi sistem, termasuk pengumpulan metrik dan pengelolaan aplikasi berbasis SystemD.

Using Horizon and Yuyu to Track Your OpenStack Resource

Wed, 19 Feb 2025 03:33:46 +0000

Pada blog sebelumnya tentang Deploying Openstack with OpenStack-Ansible, telah dibahas bagaimana OpenStack memungkinkan pengelolaan banyak server secara otomatis dan efisien, sehingga menciptakan infrastruktur cloud yang lebih stabil dan mudah dikembangkan.

Namun, untuk pengelolaan biaya dan tagihan terkait penggunaan sumber daya OpenStack, dibutuhkan sebuah solusi tambahan yang memudahkan pemantauan dan perhitungan biaya. Yuyu Billing hadir sebagai plug-in untuk OpenStack yang memungkinkan pengelolaan tagihan secara otomatis dan efisien. Dengan Yuyu, Anda dapat menghitung biaya untuk berbagai fitur OpenStack, seperti instance flavors, volumes, floating IPs, routers, snapshots, dan images, sehingga memudahkan pengelolaan anggaran dan memastikan transparansi biaya dalam lingkungan cloud.

Deploying OpenStack with Openstack-Ansible

Tue, 18 Feb 2025 06:33:46 +0000

Saat ini, pengelolaan banyak server secara manual sangat tidak efisien dan memerlukan waktu yang lama. Jika salah satu server mengalami gangguan, sistem dapat terganggu, dan proses penambahan server baru juga cukup rumit. Solusi yang dapat diterapkan adalah menggunakan OpenStack, yang menggabungkan seluruh server menjadi satu sistem cloud agar lebih fleksibel dan mudah dikelola. Untuk memastikan proses ini berjalan otomatis dan efisien, digunakan OpenStack-Ansible, yang memungkinkan konfigurasi sistem dilakukan tanpa perlu pengaturan manual satu per satu. Dengan solusi ini, infrastruktur menjadi lebih stabil, mudah dikembangkan, dan lebih andal dalam menghadapi gangguan.